Configure SSH Proxy
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure SSH Proxy
SSH Proxy decryption requires no certificates and decrypts
inbound and outbound SSH sessions and ensures that attackers can’t use
SSH to tunnel potentially malicious applications and content.
Configuring SSH
Proxy does not require certificates and the key used to decrypt
SSH sessions is generated automatically on the firewall during boot
up. With SSH decryption enabled, the firewall decrypts SSH traffic
and blocks and or restricts the SSH traffic based on your decryption
policy and decryption profile settings. Traffic is re-encrypted
as it exits the firewall.
When you configure SSH Proxy,
the proxied traffic does not support DSCP code points or QoS.
- Ensure that the appropriate interfaces are configured as either virtual wire, Layer 2, or Layer 3 interfaces. Decryption can only be performed on virtual wire, Layer 2, or Layer 3 interfaces.View configured interfaces on the NetworkInterfacesEthernet tab. The Interface Type column displays if an interface is configured to be a Virtual Wire or Layer 2, or Layer 3 interface. You can select an interface to modify its configuration, including what type of interface it is.Create a Decryption Policy Rule to define traffic for the firewall to decrypt and Create a Decryption Profile to apply checks to the SSH traffic.Although Decryption profiles are optional, it is a best practice to include a Decryption profile with each Decryption policy rule to prevent weak, vulnerable protocols and algorithms from allowing questionable traffic on your network.
- Select PoliciesDecryption, Add or modify an existing rule, and define traffic to be decrypted.Select Options and:
- Set the rule Action to Decrypt matching traffic.
- Set the rule Type to SSH Proxy.
- (Optional but a best practice) Configure or select an existing Decryption Profile to block and control various aspects of the decrypted traffic (for example, create a Decryption profile to terminate sessions with unsupported versions and unsupported algorithms).
Click OK to save.Commit the configuration.(Optional) Continue to Decryption Exclusions to disable decryption for certain types of traffic.